Topic: ZoneAlarm Alert

[AlecN]

Got this Alert just a while ago on a PC running ZA basic behind SME5:
The firewall has blocked Internet access to your computer (ICMP Time Exceeded) from 4.24.6.38. Occurred: 2 times between 10/12/01 11:16:14 PM and 10/12/01 11:16:14 PM

Can anyone shed some light on this.

[AlecN]

I am surprised that no one has commented on this. Maybe I've got it all wrong but I thought that this kind of intrusion was not possibe behind a Linux firewall. If it wasn't for ZoneAlarm, then I figure that this "probe" could have had it's way with my PC. the traceroute is as follows:

 3  202.12.157.71 (202.12.157.71)  63.838 ms  58.969 ms  63.830 ms
 4  GigabitEthernet4-0-0.lon5.Melbourne.telstra.net (139.130.49.33)  61.120 ms  59.478 ms  62.191 ms
 5  GigabitEthernet3-2.lon-core3.Melbourne.telstra.net (203.50.76.89)  60.041 ms  61.638 ms  63.017 ms
 6  GigabitEthernet4-0.win-core1.Melbourne.telstra.net (203.50.77.18)  61.123 ms  61.359 ms  61.107 ms
 7  Pos2-0.ken-core4.Sydney.telstra.net (203.50.6.165)  72.809 ms  72.804 ms  70.893 ms
 8  GigabitEthernet0-0.pad-core4.Sydney.telstra.net (203.50.6.190)  74.166 ms  74.433 ms  70.075 ms
 9  GigabitEthernet0-0.syd-core01.Reach.telstra.net (203.50.13.242)  74.164 ms  69.518 ms  74.965 ms
10  Pos12-1.wil-core1.LosAngeles.net.reach.com (203.50.126.74)  242.109 ms  241.536 ms  239.114 ms
11  p3-1.lsanca1-cr5.bbnplanet.net (4.24.56.113)  239.912 ms  242.572 ms  242.089 ms
12  p3-1.lsanca1-cr6.bbnplanet.net (4.24.4.25)  239.928 ms  242.593 ms  242.899 ms
13  p2-0.lsanca1-cr8.bbnplanet.net (4.24.4.14)  246.231 ms  248.404 ms  242.086 ms
14  p6-0.lsanca2-br2.bbnplanet.net (4.24.5.53)  241.821 ms  243.681 ms  245.076 ms
15  p9-0.crtntx1-br2.bbnplanet.net (4.24.5.62)  277.974 ms  280.373 ms  280.138 ms
16  p15-0.crtntx1-br1.bbnplanet.net (4.24.10.113)  279.865 ms  279.801 ms  281.760 ms
17  p9-0.iplvin1-br2.bbnplanet.net (4.24.10.214)  298.114 ms  299.818 ms  299.686 ms
18  p15-0.iplvin1-br1.bbnplanet.net (4.24.10.153)  301.084 ms  299.902 ms  298.604 ms
19  p13-0.phlapa1-br1.bbnplanet.net (4.24.10.181)  313.351 ms  314.185 ms  316.268 ms
20  p15-0.phlapa1-br2.bbnplanet.net (4.24.10.90)  313.838 ms  313.777 ms  316.810 ms
21  so-0-0-0.washdc3-nbr2.bbnplanet.net (4.24.10.185)  314.928 ms  319.480 ms  317.079 ms
22  so-4-1-0.atlnga1-br1.bbnplanet.net (4.24.6.38)  326.341 ms  326.568 ms  323.607 ms

Can someone please put me straight.

[Dan G.]

The problem with personal firewalls is that their #1 goal is mere self-promotion.  99.9% of all "alerts" you will see from any such product are the result of harmless network housekeeping, and no cause for concern whatsoever.  I can't really give you any details on your particular "attack," but I don't think it merits much investigation.  There is likely a very innocuous explanation for it though.

Dan

[Ed Form]

This coincides with something I found on Saturday.My test setup is a server running e-smith 4.1.2 talking to a Windows XP workstation. I run Sygate Personal Firewall pro to stop the &*^%$!!>< XP workstation from dialing out all the time - some Windows XP components cannot be stopped from asking for the internet every time you run them. The workstation uses the server as its internet connection - it has a second network card and a router/dial-up modem combination.

If I run the Sygate Stealth port scan that is available on their website the reeport lists a bunch of ports but says that they are all blocked. If I unload the Sygate PFW-Pro and run the same scan again it reports a lot more items lists each one as 'unknown' and gives no test results. This doesn't happen on a direct contact Windows machine without the software firewall, that reports all the open ports quite happily. So running a software firewall on a workstation that connects to the internet via an e-smith server seems to make the workstation more visible to the outside world.

Ed Form

[AlecN]

Thanks for the replies, much appreciated. Maybe the only use for a PFW behind SME is to stop spyware etc, i.e. keep control of all the other software we accumulate on our win PCs.

Thanks again